OpenStack Keystone Charm

Bug #1754682
Comment #11

Comment 11 for bug 1754682

Revision history for this message

James Page (james-page) wrote on 2018-03-11: Re: [Bug 1754682] Re: Pike - keystone with SSL PKI unconfigured unable to load certificate

#11

I think you need to not use:

https-service-endpoints=True and use-https=True

This activates the self signed features in the keystone charm which I think
will take precedent over any provided using ssl* options.
On Sun, 11 Mar 2018 at 08:30, Vern Hart <email address hidden> wrote:

> We received the new certs and they were exactly the same as the previous
> certs -- which suggests their certs were maybe not the problem.
>
> The client's certificates were signed by a sub certificate authority
> which was signed by their root certificate. Previously we had the host
> cert in ssl_cert and the sub-ca cert in ssl_ca. The new certs included
> the cert for their root server so I did two things:
>
> # I used their root cert for ssl_ca.
> # I concatenated the sub-ca and root certs into the host cert files and
> used the new combined cert as ssl_cert. (cat old-cert.crt subca.crt
> root.crt > new-cert.crt)
>
> After redeploying openstack bundle, things are working as expected.
>
> To clarify, in addition to combining certs, we also have https-service-
> endpoints=True and use-https=True. And enable-pki is the default
> (False).
>
> --
> You received this bug notification because you are a member of Canonical
> Field Critical, which is subscribed to the bug report.
> Matching subscriptions: openstack-charms
> https://bugs.launchpad.net/bugs/1754682
>
> Title:
> Pike - keystone with SSL PKI unconfigured unable to load certificate
>
> Status in OpenStack keystone charm:
> Incomplete
>
> Bug description:
> From keystone.log
>
> (keystoneclient.common.cms): 2018-03-08 23:20:50,811 ERROR Signing
> error: Unable to load certificate - ensure you have configured PKI with "
> keystone-manage pki_setup"
> (keystone.common.wsgi): 2018-03-08 23:20:50,812 ERROR Command 'openssl'
> returned non-zero exit status 3
> Traceback (most recent call last):
> File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line
> 228, in __call__
> result = method(req, **params)
> File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py",
> line 94, in inner
> return f(self, request, *args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py",
> line 350, in revocation_list
> CONF.signing.keyfile)
> File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py",
> line 336, in cms_sign_text
> signing_key_file_name, message_digest=message_digest)
> File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py",
> line 384, in cms_sign_data
> raise subprocess.CalledProcessError(retcode, 'openssl')
> CalledProcessError: Command 'openssl' returned non-zero exit status 3
>
>
> From the charm in keystone_hooks.py I see that it is supposed to skip
> this for Pike.
>
> if CompareOpenStackReleases(os_release('keystone-common')) >= 'pike':
> # pike dropped support for PKI token; skip function
> return
>
> However the log seems to contradict this.
>
> We are seeing a lack of usability with keystone with Pike + SSL.
> Without SSL this same environment was functional. The above is the
> only error in keystone. Currently the CLI and dashboard are not
> available.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/charm-keystone/+bug/1754682/+subscriptions
>
> Launchpad-Notification-Type: bug
> Launchpad-Bug: product=charm-keystone; milestone=18.05; status=Incomplete;
> importance=High; <email address hidden>;
> Launchpad-Bug-Tags: cdo-qa-blocker cpe-onsite
> Launchpad-Bug-Information-Type: Public
> Launchpad-Bug-Private: no
> Launchpad-Bug-Security-Vulnerability: no
> Launchpad-Bug-Commenters: 1chb1n cgregan jhillman vhart
> Launchpad-Bug-Reporter: Jeff Hillman (jhillman)
> Launchpad-Bug-Modifier: Vern Hart (vhart)
> Launchpad-Message-Rationale: Subscriber @field-critical
> Launchpad-Message-For: field-critical
> Launchpad-Subscription: openstack-charms
>

I think you need to not use:

https-service-endpoints=True and use-https=True

This activates the self signed features in the keystone charm which I think
will take precedent over any provided using ssl* options.
On Sun, 11 Mar 2018 at 08:30, Vern Hart <1754682@bugs.launchpad.net> wrote:

> We received the new certs and they were exactly the same as the previous
> certs -- which suggests their certs were maybe not the problem.
>
> The client's certificates were signed by a sub certificate authority
> which was signed by their root certificate. Previously we had the host
> cert in ssl_cert and the sub-ca cert in ssl_ca. The new certs included
> the cert for their root server so I did two things:
>
> # I used their root cert for ssl_ca.
> # I concatenated the sub-ca and root certs into the host cert files and
> used the new combined cert as ssl_cert. (cat old-cert.crt subca.crt
> root.crt > new-cert.crt)
>
> After redeploying openstack bundle, things are working as expected.
>
> To clarify, in addition to combining certs, we also have https-service-
> endpoints=True and use-https=True. And enable-pki is the default
> (False).
>
> --
> You received this bug notification because you are a member of Canonical
> Field Critical, which is subscribed to the bug report.
> Matching subscriptions: openstack-charms
> https://bugs.launchpad.net/bugs/1754682
>
> Title:
>   Pike - keystone with SSL PKI unconfigured unable to load certificate
>
> Status in OpenStack keystone charm:
>   Incomplete
>
> Bug description:
>   From keystone.log
>
>   (keystoneclient.common.cms): 2018-03-08 23:20:50,811 ERROR Signing
> error: Unable to load certificate - ensure you have configured PKI with "
>   keystone-manage pki_setup"
>   (keystone.common.wsgi): 2018-03-08 23:20:50,812 ERROR Command 'openssl'
> returned non-zero exit status 3
>   Traceback (most recent call last):
>     File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line
> 228, in __call__
>       result = method(req, **params)
>     File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py",
> line 94, in inner
>       return f(self, request, *args, **kwargs)
>     File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py",
> line 350, in revocation_list
>       CONF.signing.keyfile)
>     File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py",
> line 336, in cms_sign_text
>       signing_key_file_name, message_digest=message_digest)
>     File "/usr/lib/python2.7/dist-packages/keystoneclient/common/cms.py",
> line 384, in cms_sign_data
>       raise subprocess.CalledProcessError(retcode, 'openssl')
>   CalledProcessError: Command 'openssl' returned non-zero exit status 3
>
>
>   From the charm in keystone_hooks.py I see that it is supposed to skip
> this for Pike.
>
>       if CompareOpenStackReleases(os_release('keystone-common')) >= 'pike':
>           # pike dropped support for PKI token; skip function
>           return
>
>   However the log seems to contradict this.
>
>   We are seeing a lack of usability with keystone with Pike + SSL.
>   Without SSL this same environment was functional.  The above is the
>   only error in keystone.  Currently the CLI and dashboard are not
>   available.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/charm-keystone/+bug/1754682/+subscriptions
>
> Launchpad-Notification-Type: bug
> Launchpad-Bug: product=charm-keystone; milestone=18.05; status=Incomplete;
> importance=High; assignee=corey.bryant@canonical.com;
> Launchpad-Bug-Tags: cdo-qa-blocker cpe-onsite
> Launchpad-Bug-Information-Type: Public
> Launchpad-Bug-Private: no
> Launchpad-Bug-Security-Vulnerability: no
> Launchpad-Bug-Commenters: 1chb1n cgregan jhillman vhart
> Launchpad-Bug-Reporter: Jeff Hillman (jhillman)
> Launchpad-Bug-Modifier: Vern Hart (vhart)
> Launchpad-Message-Rationale: Subscriber @field-critical
> Launchpad-Message-For: field-critical
> Launchpad-Subscription: openstack-charms
>